Flame

For many years, viruses and trojan horses have been used as components in a low-level warfare between different parties around the world. It’s long been assumed that governments were involved but scant proof has been given to assert such thing. Furthermore, a substantial amount of the criminal element has leveraged virus and trojan technologies to do thing like create spam networks, steal information from unsuspecting targets, or threaten to take down computers as part of some extortion schemes.

What is different with the flame virus is that it seems to be organized around principles of information gathering that have not been combined in the way they have here before. The virus can extract financial information from a computer, track every key that is being typed on a keyboard, and even use bluetooth devices to listen in on real world conversations and send those conversations to remote servers. In other words, this is a super-spy walking among unsuspecting victims under the cloak of ones and zeros.

But wait there’s more. The virus also leverages some practices that allow it to update itself with new and more threatening components as required. While such updates mechanisms are not new (I first reported on viruses with plug-ins over a decade ago), the way in which it is organized represents new levels of complexity that showcase the work of very smart individuals. While discovered on computers outside of the United States, I wouldn’t be surprised if it, or its descendants, made its way to the US borders along with the rest of the world over the next few months.

This basically means that any place where an electronic device is located is a potential vector for listening in and an ever decreasing number of areas are safe from prying ears.

Stuxnet

Stuxnet is an older virus but is related, to some extent, to flame. The authors of Flame, while different from those of Stuxnet, are either related or have learned much from the development of Stuxnet. We have now learned that Stuxnet was actually designed as part of a covert electronic warfare action led by the United States and Israel against the Iranian nuclear program. The purpose of that virus was to attack specific machines in the Iranian nuclear program and make them function in such a way that it would cast doubt on their proper functioning among Iranian scientist.

Think of it as an act of electronic sabotage to delay the progress on the development of a nuclear device (or advance in a nuclear programme of another form if that’s what you believe in). Either way, this is a covert action against a sovereign government, that was launched without having any official act of war set in place. Whether you care or not about Iran having a nuclear bomb (and I am of the opinion that the fewer countries with nuclear capabilities, the better), it brings up some interesting question about how democratic governments to handle foreign policy. Is it OK for the US government to attack the infrastructure of a foreign country without being in a declared state of conflict (or war) with said country?

The reason such question is important is that how one answers it sets a precedent for what is and isn’t acceptable in terms of electronic warfare. And it sets up a precedent for what the US can and cannot denounce as evil behavior from other countries. If China were to release a virus equivalent to Stuxnet against Taiwan, would that be OK? If Russia were to do the same against Ukraine or Estonia, would that be fine?

Much as the US use of a nuclear bomb in Hiroshima and Nagasaki in 1945 as not only a way to end World War II but also a warning sign to what was then seen as a growing threat from communist China and Russia, the use of Stuxnet has created a dangerous new line of thinking for the US.

Are we prepared?

One of the nastiest justification for invading Iraq came in the dramatic image of “a mushroom cloud over an American city.” With the revelation that the US had been involved in the development of Stuxnet as part of a cyber-warfare effort called “Olympic Games”, the question can now be turned as to how long before our electronic infrastructures are crippled by an electronic attack.

In 2001 and 2002, many members of the financial industry did much to handle two crises in a way that didn’t affect the public: the attack on the world trade center and the electric outage of summer 2002 threatened to take down the whole ATM network in the northeast of the United States. Such a takedown would have essentially kept people from being able to withdraw money electronically and could have potentially caused substantial panic as people realized that their finances were running as electronic bits powered by electric power. Many professionals works to avert such crisis and the system hummed.

Meanwhile, everyday heroes keep boring back-end electronic system with code that hasn’t been thrown out since the 1970s humming and powering critical part of our world: the water supply, heat supply, electric power grid, telecommunication networks, and much of what runs on top of all of it are all controlled by software. Each of those points is a potential hotspot and target for terrorist and governments; a failure in any single one of them could cripple the nation for days, weeks, or months.

A couple of years ago, Richard Clarke, one of America’s foremost authorities on security (he was among the first senior officials to warn about the Al-Qaeda threat, long before 9/11), published a book called Cyberwar. In it, he warned that the nation was woefully prepared for electronic threat.

A need for a new military division

The US military is basically divided along three lines: air, land, and sea. But where does the internet fall? Where do other electronic infrastructure fall? Today that division is unclear and the source of much political infighting between the different branches fo the US military. The United States Cybercommand (aka USCYBERCOM) works as a coordination organization group between the different divisions in the army, navy, air force and marine corp that handle electronic warfare. With its composition being spread around several different groups in the military, its potential to react may be limited in a case of emergencies.

What is needed is a new organization for the 21st century that could meet and deal with challenges against electronic infrastructure and potentially work as an offensive cyber-warfare arm against enemies: what is needed is no less than a sixth military department that would be called the department of digital infrastructures.

It would find its roots in the forces currently aligned under USCYBERCOM and sit at the same level as army, navy, and air force; A portion of the NSA would probably end up in that reporting line too. Its mandate would be extended to include not just the defense of defense-related infrastructures but also the defense of civilian ones.

It would have a member sitting as part of the joint chiefs; and its role would be the protection of all electronic and digital infrastructures as well as offensive capabilities in that space.

Its powers would be granted and extended in the same fashion as those of the other departments are, with the same types of checks and balances that exist on the other departments.

Along with this reorganization (probably one of the largest government reorganization since the creation of the department of homeland security), the president would make a clear statement that attacks on any US electronic infrastructure by a sovereign government would be seen as an act of aggression and treated in the same way as we would do any act of aggression against physical infrastructure. A strong and powerful statement would have to be crafted to highlight that, in the 21st century, the US will not wait for a digital Pearl Harbor but will work to prevent such thing from happening by arming itself with the appropriate electronic deterrents and working hard to ensure it does not have to use them.

The world has entered a new era of warfare and its new battlefield will be the electronic one. It is time for this country (and all countries) to accept this reality and prepare for the new threats associated with it.

Now that it has self destructed, it’s a little harder but the working parts seemed to make it a highly viral configurable tool that will probably resurface in some way down the road.

From a working standpoint, it did the usual spy stuff that includes grabbing registered password files, keylogging, and screen logging. It had an interesting component that also tried to install it over bluetooth, which may mean it would use bluetooth receiver as a listening vector.

Get in touch

Now that it has self destructed, it’s a little harder but the working parts seemed to make it a highly viral configurable tool that will probably resurface in some way down the road.

From a working standpoint, it did the usual spy stuff that includes grabbing registered password files, keylogging, and screen logging. It had an interesting component that also tried to install it over bluetooth, which may mean it would use bluetooth receiver as a listening vector.